Systems and methods for effective delivery of simulated phishing campaigns

ABSTRACT

Systems and methods are described for improving assessment of security risk based on a user&#39;s personal information. Registration of personal information of a user of an organization is received at a security awareness system. Post receiving the registration of the personal information, at least one of an exposure check or a security audit of the personal information of the user is performed by the security awareness system. A personal risk score of the user is then generated or adjusted based at least on a result of one of the exposure check or the security audit.

RELATED APPLICATION

This patent application is a Continuation of and claims the benefit ofand priority to U.S. Non-Provisional patent application Ser. No.17/546,676 titled “SYSTEMS AND METHODS FOR IMPROVING ASSESSMENT OFSECURITY RISK BASED ON PERSONAL INTERNET ACCOUNT DATA,” and filed Dec.9, 2021, which claims the benefit of and priority to U.S. ProvisionalPatent Application No. 63/123,812 titled “SYSTEMS AND METHODS FORIMPROVING ASSESSMENT OF SECURITY RISK BASED ON PERSONAL INTERNET ACCOUNTDATA,” and filed Dec. 10, 2020, which also claims the benefit of andpriority to U.S. Provisional Patent Application No. 63/142,071 titled“SYSTEMS AND METHODS FOR IMPROVING ASSESSMENT OF SECURITY RISK BASED ONPERSONAL INTERNET ACCOUNT DATA,” and filed Jan. 27, 2021, the contentsof all of which are hereby incorporated herein by reference in itsentirety for all purposes

TECHNICAL FIELD

The present disclosure relates to systems and methods for improvingassessment of security risk that users pose to an organization based ontheir personal internet account data.

BACKGROUND

Cybersecurity incidents such as phishing attacks may cost organizationsin terms of the loss of confidential and/or important information andexpense in mitigating losses due to breaches of confidentialinformation. Such incidents can also cause customers to lose trust inthe organizations. The incidents of cybersecurity attacks and the costsof mitigating the damage caused are increasing every year. Organizationsinvest in cybersecurity tools such as antivirus, anti-ransomware,anti-phishing, and other platforms. Such cybersecurity tools may detectand intercept known cybersecurity attacks. However, social engineeringattacks or new threats may not be readily detectable by such tools, andthe organizations may have to rely on their employees to recognize suchthreats. A social engineering attack is an attack that exploits humanbehavior to gain access to an organization's systems through attackvectors such as phishing emails. A phishing email may include content tobe presented to a user, where the content is chosen to convince the userthat the phishing email is genuine and that the user should interactwith it. The more contextually relevant and personal the content is tothe user, the higher is the likelihood that the user will interact withit.

Among the cybersecurity attacks, organizations have recognized phishingattacks and social engineering attacks as one of the most prominentthreats that can cause serious data breaches, including confidentialinformation such as intellectual property, financial information,organizational information, and other important information. Attackerswho launch phishing attacks and social engineering attacks may attemptto evade an organization's security apparatuses and tools and target itsemployees. To prevent or to reduce the success rate of phishing attackson employees, the organizations may conduct security awareness trainingprograms for their employees, along with other security measures.Through security awareness training programs, the organizations activelyeducate their employees on how to spot and report a suspected phishingattack. These organizations may operate the security awareness trainingprograms through their in-house cybersecurity teams or may utilizethird-party entities who are experts in cybersecurity matters to conductsuch training. The employees may follow best practices of cybersecurityhygiene and comply with security regulations while working in offices.At times, for example, while working remotely, the employees may notfollow the best practices of cybersecurity hygiene and may not complywith security regulations, partly due to the fact that the employees donot feel watched.

An organization's security may also be affected by its employees'behavior outside the organization. For example, the employees' behaviorwhen in their personal domain may directly or indirectly jeopardize theorganization's security. Examples of such behaviors include using theorganization's email address for personal purposes and password reusebetween work and personal accounts.

SUMMARY

The present disclosure generally relates to systems and methods forimproving assessment of security risk that users pose to an organizationbased on their personal internet account data or other personalinformation.

Systems and methods are provided for using personal information of auser for determining a personal risk score of the user of anorganization. In an example embodiment, a method of using personalinformation of a user for determining a personal risk score of the userof an organization is described, which includes receiving, by a securityawareness system configured on one or more servers, personal informationof a user or registration of personal information of a user of anorganization, performing, by the security awareness system, at least oneof an exposure check or a security audit of the personal information ofthe user, and adjusting, by the security awareness system, a personalrisk score of the user based at least on a result of one of the exposurecheck or the security audit.

In some implementations, the method includes, verifying, by the securityawareness system, an email address identified by the personalinformation as used in a personal domain of the user.

In some implementations, the method includes, storing, by the securityawareness system, the email address used in the personal domain of theuser in association with a profile of the user for the securityawareness system.

In some implementations, the method includes registering the personalinformation with the security awareness system in response to the emailaddress used in the personal domain of the user being verified.

In some implementations, the method includes storing, by the securityawareness system, the personal information in an obfuscated form.

In some implementations, the method includes performing an exposurecheck by searching using at least one of an email address or a usernamein the personal information for breached user information in one or morebreach databases.

In some implementations, the method includes performing a security auditby assessing a strength of one or more registered personal passwordsfrom the personal information and compliance to password requirements ofthe organization.

In some implementations, the method includes adjusting the personal riskscore of the user based on at least the user's registration of thepersonal information with the security awareness system or based on thesecurity awareness system receiving the user's personal information.

In some implementations, the method includes determining by the securityawareness system a risk score based at least on the personal risk scoreof the user.

In some implementations, the method includes performing by the securityawareness system, based on at least the personal risk score of the user,one of a remedial training or a simulated phishing campaign directed tothe user.

In another example implementation, the security awareness system isconfigured to determine when a user has registered for a web site in apersonal domain using his or her organization login credentials based onmonitoring a mailbox of the user. In an implementation, the securityawareness system is configured to determine whether the user hasregistered for the website using current organization login credentialsor previous organization login credentials. The security awarenesssystem provides training to the user about a safe use of theorganization login credentials.

Other aspects and advantages of the disclosure will become apparent fromthe following detailed description, taken in conjunction with theaccompanying drawings, which illustrate by way of example, theprinciples of the disclosure.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing and other objects, aspects, features, and advantages ofthe disclosure will become more apparent and better understood byreferring to the following description taken in conjunction with theaccompanying drawings, in which:

FIG. 1A is a block diagram depicting an embodiment of a networkenvironment comprising client devices in communication with serverdevices, according to some embodiments;

FIG. 1B is a block diagram depicting a cloud computing environmentcomprising client devices in communication with cloud service providers,according to some embodiments;

FIGS. 1C and 1D are block diagrams depicting embodiments of computingdevices useful in connection with the methods and systems describedherein, according to some embodiments;

FIG. 2 depicts an implementation of some of an architecture of a systemfor determining a personal risk score of a user of an organization basedon personal information of the user, according to some embodiments;

FIG. 3 depicts a flowchart for detecting that the user has registeredfor a personal domain website using an organization email address,according to some embodiments;

FIG. 4 depicts a flowchart for using personal information fordetermining the personal risk score of the user of the organization,according to some embodiments; and

FIG. 5 depicts a flowchart for performing a remedial training or asimulated phishing campaign directed to the user based on the personalrisk score of the user, according to some embodiments.

DETAILED DESCRIPTION

For the purposes of reading the description of the various embodimentsbelow, the following descriptions of the sections of the specificationsand their respective contents may be helpful:

Section A describes a network environment and computing environmentwhich may be useful for practicing embodiments described herein.

Section B describes embodiments of systems and methods for improvingassessment of security risk that users pose to an organization based ontheir personal internet account data.

A. Computing and Network Environment

Prior to discussing specific embodiments of the present solution, it maybe helpful to describe aspects of the operating environment as well asassociated system components (e.g. hardware elements) in connection withthe methods and systems described herein. Referring to FIG. 1A, anembodiment of a network environment is depicted. In a brief overview,the network environment includes one or more clients 102 a-102 n (alsogenerally referred to as local machines(s) 102, client(s) 102, clientnode(s) 102, client machine(s) 102, client computer(s) 102, clientdevice(s) 102, endpoint(s) 102, or endpoint node(s) 102) incommunication with one or more servers 106 a-106 n (also generallyreferred to as server(s) 106, node(s) 106, machine(s) 106, or remotemachine(s) 106) via one or more networks 104. In some embodiments,client 102 has the capacity to function as both a client node seekingaccess to resources provided by a server and as a server providingaccess to hosted resources for other clients 102 a-102 n.

Although FIG. 1A shows a network 104 between clients 102 and the servers106, clients 102 and servers 106 may be on the same network 104. In someembodiments, there are multiple networks 104 between clients 102 andservers 106. In one of these embodiments, network 104′ (not shown) maybe a private network and a network 104 may be a public network. Inanother of these embodiments, network 104 may be a private network and anetwork 104′ may be a public network. In still another of theseembodiments, networks 104 and 104′ may both be private networks.

Network 104 may be connected via wired or wireless links. Wired linksmay include Digital Subscriber Line (DSL), coaxial cable lines, oroptical fiber lines. Wireless links may include Bluetooth®, BluetoothLow Energy (BLE), ANT/ANT+, ZigBee, Z-Wave, Thread, Wi-Fi®, WorldwideInteroperability for Microwave Access (WiMAX®), mobile WiMAX®,WiMAX®-Advanced, NFC, SigFox, LoRa, Random Phase Multiple Access (RPMA),Weightless-N/P/W, an infrared channel, or a satellite band. The wirelesslinks may also include any cellular network standards to communicateamong mobile devices, including standards that qualify as 1G, 2G, 3G,4G, or 5G. The network standards may qualify as one or more generationsof mobile telecommunication standards by fulfilling a specification orstandards such as the specifications maintained by the InternationalTelecommunication Union. The 3G standards, for example, may correspondto the International Mobile Telecommuniations-2000 (IMT-2000)specification, and the 4G standards may correspond to the InternationalMobile Telecommunication Advanced (IMT-Advanced) specification. Examplesof cellular network standards include AMPS, GSM, GPRS, UMTS, CDMA2000,CDMA-1xRTT, CDMA-EVDO, LTE, LTE-Advanced, LTE-M1, and Narrowband IoT(NB-IoT). Wireless standards may use various channel access methods,e.g. FDMA, TDMA, CDMA, or SDMA. In some embodiments, different types ofdata may be transmitted via different links and standards. In otherembodiments, the same types of data may be transmitted via differentlinks and standards.

Network 104 may be any type and/or form of network. The geographicalscope of the network may vary widely and network 104 can be a body areanetwork (BAN), a personal area network (PAN), a local-area network(LAN), e.g. Intranet, a metropolitan area network (MAN), a wide areanetwork (WAN), or the Internet. The topology of network 104 may be ofany form and may include, e.g., any of the following: point-to-point,bus, star, ring, mesh, or tree. Network 104 may be an overlay networkwhich is virtual and sits on top of one or more layers of other networks104′. Network 104 may be of any such network topology as known to thoseordinarily skilled in the art capable of supporting the operationsdescribed herein. Network 104 may utilize different techniques andlayers or stacks of protocols, including, e.g., the Ethernet protocol,the internet protocol suite (TCP/IP), the ATM (Asynchronous TransferMode) technique, the SONET (Synchronous Optical Networking) protocol, orthe SDH (Synchronous Digital Hierarchy) protocol. The TCP/IP internetprotocol suite may include application layer, transport layer, internetlayer (including, e.g., IPv4 and Ipv6), or the link layer. Network 104may be a type of broadcast network, a telecommunications network, a datacommunication network, or a computer network.

In some embodiments, the system may include multiple, logically groupedservers 106. In one of these embodiments, the logical group of serversmay be referred to as a server farm, a server cluster, or a machinefarm. In another of these embodiments, servers 106 may be geographicallydispersed. In other embodiments, a machine farm may be administered as asingle entity. In still other embodiments, the machine farm includes aplurality of machine farms. Servers 106 within each machine farm can beheterogeneous—one or more of servers 106 or machines 106 can operateaccording to one type of operating system platform (e.g., Windows,manufactured by Microsoft Corp. of Redmond, Wash.), while one or more ofthe other servers 106 can operate according to another type of operatingsystem platform (e.g., Unix, Linux, or Mac OSX).

In one embodiment, servers 106 in the machine farm may be stored inhigh-density rack systems, along with associated storage systems, andlocated in an enterprise data center. In the embodiment, consolidatingservers 106 in this way may improve system manageability, data security,the physical security of the system, and system performance by locatingservers 106 and high-performance storage systems on localizedhigh-performance networks. Centralizing servers 106 and storage systemsand coupling them with advanced system management tools allows moreefficient use of server resources.

Servers 106 of each machine farm do not need to be physically proximateto another server 106 in the same machine farm. Thus, the group ofservers 106 logically grouped as a machine farm may be interconnectedusing a wide-area network (WAN) connection or a metropolitan-areanetwork (MAN) connection. For example, a machine farm may includeservers 106 physically located in different continents or differentregions of a continent, country, state, city, campus, or room. Datatransmission speeds between servers 106 in the machine farm can beincreased if servers 106 are connected using a local-area network (LAN)connection or some form of direct connection. Additionally, aheterogeneous machine farm may include one or more servers 106 operatingaccording to a type of operating system, while one or more other serversexecute one or more types of hypervisors rather than operating systems.In these embodiments, hypervisors may be used to emulate virtualhardware, partition physical hardware, virtualize physical hardware, andexecute virtual machines that provide access to computing environments,allowing multiple operating systems to run concurrently on a hostcomputer. Native hypervisors may run directly on the host computer.Hypervisors may include VMware ESX/ESXi, manufactured by VMWare, Inc.,of Palo Alta, Calif.; the Xen hypervisor, an open source product whosedevelopment is overseen by Citrix Systems, Inc. of Fort Lauderdale,Florida; the HYPER-V hypervisors provided by Microsoft, or others.Hosted hypervisors may run within an operating system on a secondsoftware level. Examples of hosted hypervisors may include VMWareWorkstation and VirtualBox, manufactured by Oracle Corporation ofRedwood City, Calif. Additional layers of abstraction may includeContainer Virtualization and Management infrastructure. ContainerVirtualization isolates execution of a service to the container whilerelaying instructions to the machine through one operating system layerper host machine. Container infrastructure may include Docker, an opensource product whose development is overseen by Docker, Inc. of SanFrancisco, Calif.

Management of the machine farm may be de-centralized. For example, oneor more servers 106 may comprise components, subsystems, and modules tosupport one or more management services for the machine farm. In one ofthese embodiments, one or more servers 106 provide functionality formanagement of dynamic data, including techniques for handling failover,data replication, and increasing the robustness of the machine farm.Each server 106 may communicate with a persistent store and, in someembodiments, with a dynamic store.

Server 106 may be a file server, application server, web server, proxyserver, appliance, network appliance, gateway, gateway server,virtualization server, deployment server, SSL VPN server, or securitysystem. In one embodiment, a plurality of servers 106 may be in the pathbetween any two communicating servers 106.

Referring to FIG. 1B, a cloud computing environment is depicted. A cloudcomputing environment may provide client 102 with one or more resourcesprovided by a network environment. The cloud computing environment mayinclude one or more clients 102 a-102 n, in communication with cloud 108over one or more networks 104. Clients 102 may include, e.g., thickclients, thin clients, and zero clients. A thick client may provide atleast some functionality even when disconnected from cloud 108 orservers 106. A thin client or zero client may depend on the connectionto cloud 108 or server 106 to provide functionality. A zero client maydepend on cloud 108 or other networks 104 or servers 106 to retrieveoperating system data for the client device 102. Cloud 108 may includeback end platforms, e.g., servers 106, storage, server farms or datacenters.

Cloud 108 may be public, private, or hybrid. Public clouds may includepublic servers 106 that are maintained by third parties to clients 102or the owners of the clients. Servers 106 may be located off-site inremote geographical locations as disclosed above or otherwise. Publicclouds may be connected to servers 106 over a public network. Privateclouds may include private servers 106 that are physically maintained byclients 102 or owners of clients. Private clouds may be connected toservers 106 over a private network 104. Hybrid clouds 109 may includeboth the private and public networks 104 and servers 106.

Cloud 108 may also include a cloud-based delivery, e.g. Software as aService (SaaS) 110, Platform as a Service (PaaS) 112, and Infrastructureas a Service (IaaS) 114. IaaS may refer to a user renting the user ofinfrastructure resources that are needed during a specified time period.IaaS provides may offer storage, networking, servers, or virtualizationresources from large pools, allowing the users to quickly scale up byaccessing more resources as needed. Examples of IaaS include Amazon WebServices (AWS) provided by Amazon, Inc. of Seattle, Wash., RackspaceCloud provided by Rackspace Inc. of San Antonio, Texas, Google ComputeEngine provided by Google Inc. of Mountain View, Calif., or RightScaleprovided by RightScale, Inc. of Santa Barbara, Calif. PaaS providers mayoffer functionality provided by IaaS, including, e.g., storage,networking, servers, virtualization, or containerization, as well asadditional resources, e.g., the operating system, middleware, or runtimeresources. Examples of PaaS include Windows Azure provided by MicrosoftCorporation of Redmond, Wash., Google App Engine provided by GoogleInc., and Heroku provided by Heroku, Inc. of San Francisco Calif. SaaSproviders may offer the resources that PaaS provides, including storage,networking, servers, virtualization, operating system, middleware, orruntime resources. In some embodiments, SaaS providers may offeradditional resources including, e.g., data and application resources.Examples of SaaS include Google Apps provided by Google Inc., Salesforceprovided by Salesforce.com Inc. of San Francisco, Calif., or Office365provided by Microsoft Corporation. Examples of SaaS may also includestorage providers, e.g. Dropbox provided by Dropbox Inc. of SanFrancisco, Calif., Microsoft OneDrive provided by Microsoft Corporation,Google Drive provided by Google Inc., or Apple iCloud provided by AppleInc. of Cupertino, Calif.

Clients 102 may access IaaS resources with one or more IaaS standards,including, e.g., Amazon Elastic Compute Cloud (EC2), Open CloudComputing Interface (OCCI), Cloud Infrastructure Management Interface(CIMI), or OpenStack standards. Some IaaS standards may allow clientsaccess to resources over a Hypertext Transfer Protocol (HTTP) and mayuse Representational State Transfer (REST) protocol or Simple ObjectAccess Protocol (SOAP). Clients 102 may access PaaS resources withdifferent PaaS interfaces. Some PaaS interfaces use HTTP packages,standard Java APIs, JavaMail API, Java Data Objects (JDO), JavaPersistence API (JPA), Python APIs, web integration APIs for differentprogramming languages including, e.g., Rack for Ruby, WSGI for Python,or PSGI for Perl, or other APIs that may be built on REST, HTTP, XML, orother protocols. Clients 102 may access SaaS resources using web-baseduser interfaces, provided by a web browser (e.g. Google Chrome,Microsoft Internet Explorer, or Mozilla Firefox provided by MozillaFoundation of Mountain View, Calif.). Clients 102 may also access SaaSresources through smartphone or tablet applications, including e.g.,Salesforce Sales Cloud, or Google Drive App. Clients 102 may also accessSaaS resources through the client operating system, including e.g.Windows file system for Dropbox.

In some embodiments, access to IaaS, PaaS, or SaaS resources may beauthenticated. For example, a server or authentication server mayauthenticate a user via security certificates, HTTPS, or API keys. APIkeys may include various encryption standards such as, e.g., AdvancedEncryption Standard (AES). Data resources may be sent over TransportLayer Security (TLS) or Secure Sockets Layer (SSL).

Client 102 and server 106 may be deployed as and/or executed on any typeand form of computing device, e.g., a computer, network device orappliance capable of communicating on any type and form of network andperforming the operations described herein.

FIGS. 1C and 1D depict block diagrams of a computing device 100 usefulfor practicing an embodiment of client 102 or server 106. As shown inFIGS. 1C and 1D, each computing device 100 includes central processingunit 121, and main memory unit 122. As shown in FIG. 1C, computingdevice 100 may include storage device 128, installation device 116,network interface 118, and I/O controller 123, display devices 124 a-124n, keyboard 126 and pointing device 127, e.g., a mouse. Storage device128 may include, without limitation, operating system 129, software 131,and a software of security awareness system 120. As shown in FIG. 1D,each computing device 100 may also include additional optional elements,e.g., a memory port 103, bridge 170, one or more input/output devices130 a-130 n (generally referred to using reference numeral 130), andcache memory 140 in communication with central processing unit 121.

Central processing unit 121 is any logic circuity that responds to andprocesses instructions fetched from main memory unit 122. In manyembodiments, central processing unit 121 is provided by a microprocessorunit, e.g.: those manufactured by Intel Corporation of Mountain View,Calif.; those manufactured by Motorola Corporation of Schaumburg,Illinois; the ARM processor and TEGRA system on a chip (SoC)manufactured by Nvidia of Santa Clara, Calif.; the POWER7 processor,those manufactured by International Business Machines of White Plains,N.Y.; or those manufactured by Advanced Micro Devices of Sunnyvale,Calif. Computing device 100 may be based on any of these processors, orany other processor capable of operating as described herein. Centralprocessing unit 121 may utilize instruction level parallelism, threadlevel parallelism, different levels of cache, and multi-core processors.A multi-core processor may include two or more processing units on asingle computing component. Examples of multi-core processors includethe AMD PHENOM IIX2, INTEL CORE i5 and INTEL CORE i7.

Main memory unit 122 may include one or more memory chips capable ofstoring data and allowing any storage location to be directly accessedby microprocessor 121. Main memory unit 122 may be volatile and fasterthan storage 128 memory. Main memory units 122 may be DynamicRandom-Access Memory (DRAM) or any variants, including staticRandom-Access Memory (SRAM), Burst SRAM or SynchBurst SRAM (BSRAM), FastPage Mode DRAM (FPM DRAM), Enhanced DRAM (EDRAM), Extended Data OutputRAM (EDO RAM), Extended Data Output DRAM (EDO DRAM), Burst Extended DataOutput DRAM (BEDO DRAM), Single Data Rate Synchronous DRAM (SDR SDRAM),Double Data Rate SDRAM (DDR SDRAM), Direct Rambus DRAM (DRDRAM), orExtreme Data Rate DRAM (XDR DRAM). In some embodiments, main memory 122or storage 128 may be non-volatile; e.g., non-volatile read accessmemory (NVRAM), flash memory non-volatile static RAM (nvSRAM),Ferroelectric RAM (FeRAM), Magnetoresistive RAM (MRAM), Phase-changememory (PRAM), conductive-bridging RAM (CBRAM),Silicon-Oxide-Nitride-Oxide-Silicon (SONOS), Resistive RAM (RRAM),Racetrack, Nano-RAM (NRAM), or Millipede memory. Main memory 122 may bebased on any of the above described memory chips, or any other availablememory chips capable of operating as described herein. In the embodimentshown in FIG. 1C, the processor 121 communicates with main memory 122via system bus 150 (described in more detail below). FIG. 1D depicts anembodiment of computing device 100 in which the processor communicatesdirectly with main memory 122 via memory port 103. For example, in FIG.1D main memory 122 may be DRDRAM.

FIG. 1D depicts an embodiment in which the main processor 121communicates directly with cache memory 140 via a secondary bus,sometimes referred to as a backside bus. In other embodiments, mainprocessor 121 communicates with cache memory 140 using system bus 150.Cache memory 140 typically has a faster response time than main memory122 and is typically provided by SRAM, BSRAM, or EDRAM. In theembodiment shown in FIG. 1D, the processor 121 communicates with variousI/O devices 130 via local system bus 150. Various buses may be used toconnect central processing unit 121 to any of I/O devices 130, includinga PCI bus, a PCI-X bus, or a PCI-Express bus, or a NuBus. Forembodiments in which the I/O device is video display 124, the processor121 may use an Advanced Graphic Port (AGP) to communicate with display124 or the I/O controller 123 for display 124. FIG. 1D depicts anembodiment of computer 100 in which main processor 121 communicatesdirectly with I/O device 130 b or other processors 121′ viaHYPERTRANSPORT, RAPIDIO, or INFINIBAND communications technology. FIG.1D also depicts an embodiment in which local busses and directcommunication are mixed: the processor 121 communicates with I/O device130 a using a local interconnect bus while communicating with I/O device130 b directly.

A wide variety of I/O devices 130 a-130 n may be present in computingdevice 100. Input devices may include keyboards, mice, trackpads,trackballs, touchpads, touch mice, multi-touch touchpads and touch mice,microphones, multi-array microphones, drawing tablets, cameras,single-lens reflex cameras (SLR), digital SLR (DSLR), CMOS sensors,accelerometers, infrared optical sensors, pressure sensors, magnetometersensors, angular rate sensors, depth sensors, proximity sensors, ambientlight sensors, gyroscopic sensors, or other sensors. Output devices mayinclude video displays, graphical displays, speakers, headphones, inkjetprinters, laser printers, and 3D printers.

Devices 130 a-130 n may include a combination of multiple input oroutput devices, including, e.g., Microsoft KINECT, Nintendo Wiimote forthe WII, Nintendo WII U GAMEPAD, or Apple iPhone. Some devices 130 a-130n allow gesture recognition inputs through combining some of the inputsand outputs. Some devices 130 a-130 n provide for facial recognitionwhich may be utilized as an input for different purposes includingauthentication and other commands. Some devices 130 a-130 n provide forvoice recognition and inputs, including, e.g., Microsoft KINECT, SIRIfor iPhone by Apple, Google Now or Google Voice Search, and Alexa byAmazon.

Additional devices 130 a-130 n have both input and output capabilities,including, e.g., haptic feedback devices, touchscreen displays, ormulti-touch displays. Touchscreen, multi-touch displays, touchpads,touch mice, or other touch sensing devices may use differenttechnologies to sense touch, including, e.g., capacitive, surfacecapacitive, projected capacitive touch (PCT), in cell capacitive,resistive, infrared, waveguide, dispersive signal touch (DST), in-celloptical, surface acoustic wave (SAW), bending wave touch (BWT), orforce-based sensing technologies. Some multi-touch devices may allow twoor more contact points with the surface, allowing advanced functionalityincluding, e.g., pinch, spread, rotate, scroll, or other gestures. Sometouchscreen devices, including, e.g., Microsoft PIXELSENSE orMulti-Touch Collaboration Wall, may have larger surfaces, such as on atable-top or on a wall, and may also interact with other electronicdevices. Some I/O devices 130 a-130 n, display devices 124 a-124 n orgroup of devices may be augmented reality devices. The I/O devices maybe controlled by I/O controller 123 as shown in FIG. 1C. The I/Ocontroller may control one or more I/O devices, such as, e.g., keyboard126 and pointing device 127, e.g., a mouse or optical pen. Furthermore,an I/O device may also provide storage and/or installation medium 116for computing device 100. In still other embodiments, computing device100 may provide USB connections (not shown) to receive handheld USBstorage devices. In further embodiments, a I/O device 130 may be abridge between the system bus 150 and an external communication bus,e.g. a USB bus, a SCSI bus, a FireWire bus, an Ethernet bus, a GigabitEthernet bus, a Fiber Channel bus, or a Thunderbolt bus.

In some embodiments, display devices 124 a-124 n may be connected to I/Ocontroller 123. Display devices may include, e.g., liquid crystaldisplays (LCD), thin film transistor LCD (TFT-LCD), blue phase LCD,electronic papers (e-ink) displays, flexile displays, light emittingdiode displays (LED), digital light processing (DLP) displays, liquidcrystal on silicon (LCOS) displays, organic light-emitting diode (OLED)displays, active-matrix organic light-emitting diode (AMOLED) displays,liquid crystal laser displays, time-multiplexed optical shutter (TMOS)displays, or 3D displays. Examples of 3D displays may use, e.g.stereoscopy, polarization filters, active shutters, or auto stereoscopy.Display devices 124 a-124 n may also be a head-mounted display (HMD). Insome embodiments, display devices 124 a-124 n or the corresponding I/Ocontrollers 123 may be controlled through or have hardware support forOPENGL or DIRECTX API or other graphics libraries.

In some embodiments, computing device 100 may include or connect tomultiple display devices 124 a-124 n, which each may be of the same ordifferent type and/or form. As such, any of I/O devices 130 a-130 nand/or the I/O controller 123 may include any type and/or form ofsuitable hardware, software, or combination of hardware and software tosupport, enable or provide for the connection and use of multipledisplay devices 124 a-124 n by computing device 100. For example,computing device 100 may include any type and/or form of video adapter,video card, driver, and/or library to interface, communicate, connect,or otherwise use display devices 124 a-124 n. In one embodiment, a videoadapter may include multiple connectors to interface to multiple displaydevices 124 a-124 n. In other embodiments, computing device 100 mayinclude multiple video adapters, with each video adapter connected toone or more of display devices 124 a-124 n. In some embodiments, anyportion of the operating system of computing device 100 may beconfigured for using multiple displays 124 a-124 n. In otherembodiments, one or more of the display devices 124 a-124 n may beprovided by one or more other computing devices 100 a or 100 b connectedto computing device 100, via network 104. In some embodiments, softwaremay be designed and constructed to use another computer's display deviceas second display device 124 a for computing device 100. For example, inone embodiment, an Apple iPad may connect to computing device 100 anduse the display of the device 100 as an additional display screen thatmay be used as an extended desktop. One ordinarily skilled in the artwill recognize and appreciate the various ways and embodiments thatcomputing device 100 may be configured to have multiple display devices124 a-124 n.

Referring again to FIG. 1C, computing device 100 may comprise storagedevice 128 (e.g. one or more hard disk drives or redundant arrays ofindependent disks) for storing an operating system or other relatedsoftware, and for storing application software programs such as anyprogram related to security awareness system 120. Examples of storagedevice 128 include, e.g., hard disk drive (HDD); optical drive includingCD drive, DVD drive, or BLU-RAY drive; solid-state drive (SSD); USBflash drive; or any other device suitable for storing data. Some storagedevices may include multiple volatile and non-volatile memories,including, e.g., solid state hybrid drives that combine hard disks withsolid state cache. Some storage devices 128 may be non-volatile,mutable, or read-only. Some storage devices 128 may be internal andconnect to computing device 100 via bus 150. Some storage devices 128may be external and connect to computing device 100 via a I/O device 130that provides an external bus. Some storage devices 128 may connect tocomputing device 100 via network interface 118 over network 104,including, e.g., the Remote Disk for MACBOOK AIR by Apple. Some clientdevices 100 may not require a non-volatile storage device 128 and may bethin clients or zero clients 102. Some storage devices 128 may also beused as an installation device 116 and may be suitable for installingsoftware and programs. Additionally, the operating system and thesoftware can be run from a bootable medium, for example, a bootable CD,e.g. KNOPPIX, a bootable CD for GNU/Linux that is available as aGNU/Linux distribution from knoppix.net.

Computing device 100 (e.g., client device 102) may also install softwareor application from an application distribution platform. Examples ofapplication distribution platforms include the App Store for iOSprovided by Apple, Inc., the Mac App Store provided by Apple, Inc.,GOOGLE PLAY for Android OS provided by Google Inc., Chrome Webstore forCHROME OS provided by Google Inc., and Amazon Appstore for Android OSand KINDLE FIRE provided by Amazon.com, Inc. An application distributionplatform may facilitate installation of software on client device 102.An application distribution platform may include a repository ofapplications on server 106 or cloud 108, which clients 102 a-102 n mayaccess over a network 104. An application distribution platform mayinclude application developed and provided by various developers. A userof client device 102 may select, purchase and/or download an applicationvia the application distribution platform.

Furthermore, computing device 100 may include a network interface 118 tointerface to network 104 through a variety of connections including, butnot limited to, standard telephone lines LAN or WAN links (e.g., 802.11,T1, T3, Gigabit Ethernet, InfiniBand), broadband connections (e.g.,ISDN, Frame Relay, ATM, Gigabit Ethernet, Ethernet-over-SONET, ADSL,VDSL, BPON, GPON, fiber optical including FiOS), wireless connections,or some combination of any or all of the above. Connections can beestablished using a variety of communication protocols (e.g., TCP/IP,Ethernet, ARCNET, SONET, SDH, Fiber Distributed Data Interface (FDDI),IEEE 802.11a/b/g/n/ac CDMA, GSM, WiMAX, and direct asynchronousconnections). In one embodiment, computing device 100 communicates withother computing devices 100′ via any type and/or form of gateway ortunneling protocol e.g. Secure Socket Layer (SSL) or Transport LayerSecurity (TLS), or the Citrix Gateway Protocol manufactured by CitrixSystems, Inc. Network interface 118 may comprise a built-in networkadapter, network interface card, PCMCIA network card, EXPRESSCARDnetwork card, card bus network adapter, wireless network adapter, USBnetwork adapter, modem or any other device suitable for interfacingcomputing device 100 to any type of network capable of communication andperforming the operations described herein.

Computing device 100 of the sort depicted in FIGS. 1B and 1C may operateunder the control of an operating system, which controls scheduling oftasks and access to system resources. Computing device 100 can berunning any operating system such as any of the versions of theMICROSOFT WINDOWS operating systems, the different releases of the Unixand Linux operating systems, any version of the MAC OS for Macintoshcomputers, any embedded operating system, any real-time operatingsystem, any open source operating system, any proprietary operatingsystem, any operating systems for mobile computing devices, or any otheroperating system capable of running on the computing device andperforming the operations described herein. Typical operating systemsinclude, but are not limited to: WINDOWS 2000, WINDOWS Server 2012,WINDOWS CE, WINDOWS Phone, WINDOWS XP, WINDOWS VISTA, and WINDOWS 7,WINDOWS RT, WINDOWS 8 and WINDOW 10, all of which are manufactured byMicrosoft Corporation of Redmond, Wash.; MAC OS and iOS, manufactured byApple, Inc.; and Linux, a freely-available operating system, e.g. LinuxMint distribution (“distro”) or Ubuntu, distributed by Canonical Ltd. ofLondon, United Kingdom; or Unix or other Unix-like derivative operatingsystems; and Android, designed by Google Inc., among others. Someoperating systems, including, e.g., the CHROME OS by Google Inc., may beused on zero clients or thin clients, including, e.g., CHROMEBOOKS.

Computer system 100 can be any workstation, telephone, desktop computer,laptop or notebook computer, netbook, ULTRABOOK, tablet, server,handheld computer, mobile telephone, smartphone or other portabletelecommunications device, media playing device, a gaming system, mobilecomputing device, or any other type and/or form of computing,telecommunications or media device that is capable of communication.Computer system 100 has sufficient processor power and memory capacityto perform the operations described herein. In some embodiments,computing device 100 may have different processors, operating systems,and input devices consistent with the device. The Samsung GALAXYsmartphones, e.g., operate under the control of Android operating systemdeveloped by Google, Inc. GALAXY smartphones receive input via a touchinterface.

In some embodiments, computing device 100 is a gaming system. Forexample, the computer system 100 may comprise a PLAYSTATION 3, orPERSONAL PLAYSTATION PORTABLE (PSP), PLAYSTATION VITA, PLAYSTATION 4, ora PLAYSTATION 4 PRO device manufactured by the Sony Corporation ofTokyo, Japan, or a NINTENDO DS, NINTENDO 3DS, NINTENDO WII, NINTENDO WIIU, or a NINTENDO SWITCH device manufactured by Nintendo Co., Ltd., ofKyoto, Japan, or an XBOX 360 device manufactured by MicrosoftCorporation.

In some embodiments, computing device 100 is a digital audio player suchas the Apple IPOD, IPOD Touch, and IPOD NANO lines of devices,manufactured by Apple Computer of Cupertino, Calif. Some digital audioplayers may have other functionality, including, e.g., a gaming systemor any functionality made available by an application from a digitalapplication distribution platform. For example, the IPOD Touch mayaccess the Apple App Store. In some embodiments, computing device 100 isa portable media player or digital audio player supporting file formatsincluding, but not limited to, MP3, WAV, M4A/AAC, WMA Protected AAC,AIFF, Audible audiobook, Apple Lossless audio file formats and .mov,.m4v, and .mp4 MPEG-4 (H.264/MPEG-4 AVC) video file formats.

In some embodiments, computing device 100 is a tablet e.g. the IPAD lineof devices by Apple; GALAXY TAB family of devices by Samsung; or KINDLEFIRE, byAmazon.com, Inc. of Seattle, Wash. In other embodiments,computing device 100 is an eBook reader, e.g. the KINDLE family ofdevices by Amazon.com, or NOOK family of devices by Barnes & Noble, Inc.of New York City, N.Y.

In some embodiments, communications device 102 includes a combination ofdevices, e.g. a smartphone combined with a digital audio player orportable media player. For example, one of these embodiments is asmartphone, e.g. the iPhone family of smartphones manufactured by Apple,Inc.; a Samsung GALAXY family of smartphones manufactured by Samsung,Inc; or a Motorola DROID family of smartphones. In yet anotherembodiment, communications device 102 is a laptop or desktop computerequipped with a web browser and a microphone and speaker system, e.g. atelephony headset. In these embodiments, communications devices 102 areweb-enabled and can receive and initiate phone calls. In someembodiments, a laptop or desktop computer is also equipped with a webcamor other video capture device that enables video chat and video call.

In some embodiments, the status of one or more machines 102, 106 innetwork 104 is monitored, generally as part of network management. Inone of these embodiments, the status of a machine may include anidentification of load information (e.g., the number of processes on themachine, CPU, and memory utilization), of port information (e.g., thenumber of available communication ports and the port addresses), or ofsession status (e.g., the duration and type of processes, and whether aprocess is active or idle). In another of these embodiments, theinformation may be identified by a plurality of metrics, and theplurality of metrics can be applied at least in part towards decisionsin load distribution, network traffic management, and network failurerecovery as well as any aspects of operations of the present solutiondescribed herein. Aspects of the operating environments and componentsdescribed above will become apparent in the context of the systems andmethods disclosed herein.

B. Systems and Methods for Improving Assessment of Security Risk Basedon Personal Internet Account Data

The following describes systems and methods for improving assessment ofsecurity risks that users pose to an organization based on theirpersonal internet account data.

An organization does not usually have access to information related to ausers' personal domain such as a users' personal email address. Also,the organization may not have any measure to detect the securityawareness behavior of users in their personal domain. As a result, thefull security risk that users pose to the organization may not be knownto it. Furthermore, even if the organization has access to personalinformation of the users, it would most likely be available within aparticular department, for example, a Human Resources (HR) department,and not available to any other department within the organization. In anexample, the personal information of the users may not be available to asystem administrator or an Information Technology (IT) department of theorganization. The system administrator may be a professional (or a teamof professionals) managing organizational cybersecurity aspects. Thesystem administrator may oversee and manage IT systems of theorganization.

Also, a significant number of organization email breaches occur whenusers use their organization email address for registrations on websitesin their personal domain. In an example, users may use theirorganization email address to register to entertainment and mediawebsites, for example, for gaming, travel, booking restaurants, andother personal purposes. Such usage exposes the users' organizationemail address to risk, and it may be subjected to attacks or may becomecompromised. Accordingly, when a user registers for a website in apersonal domain using organization login credentials (e.g., one or moreof an email address, a username, an email, or password) the user mayunintentionally expose the organization login credentials to a risk ofhijacking that may provide to an attacker access to organizational data.

FIG. 2 depicts an implementation of some of an architecture of animplementation of system 200 for determining a personal risk score of auser of an organization based on personal information of the user,according to some embodiments.

System 200 may include security awareness system 202, user device 204,email server 206, one or more breach databases 208 _(1-N), and network210 enabling communication between the system components for informationexchange. Network 210 may be an example or instance of network 104,details of which are provided with reference to FIG. 1A and itsaccompanying description.

According to some embodiments, security awareness system 202 may beimplemented in a variety of computing systems, such as a mainframecomputer, a server, a network server, a laptop computer, a desktopcomputer, a notebook, a workstation, and any other computing system. Inan implementation, security awareness system 202 may be implemented in aserver, such as server 106 shown in FIG. 1A. In some implementations,security awareness system 202 may be implemented by a device, such ascomputing device 100 shown in FIGS. 1C and 1D. In some embodiments,security awareness system 202 may be implemented across a servercluster, thereby, tasks performed by security awareness system 202 maybe performed by the plurality of servers. These tasks may be allocatedamong the server cluster by an application, a service, a daemon, aroutine, or other executable logic for task allocation.

In one or more embodiments, security awareness system 202 may facilitatecybersecurity awareness training, for example, via simulated phishingcampaigns, computer-based trainings, remedial trainings, and risk scoregeneration and tracking. A simulated phishing campaign is a technique oftesting a user to see whether the user is likely to recognize a truemalicious phishing attack and act appropriately upon receiving themalicious phishing attack. In some embodiments, the user may be anemployee of the organization, a customer, a vendor, or anyone associatedwith the organization. In some embodiments, the user may be anend-customer/consumer or a patron using the goods and/or services of theorganization. In an implementation, security awareness system 202 mayexecute the simulated phishing campaign by sending out one or moresimulated phishing messages periodically or occasionally to the usersand observe responses of the users to such simulated phishing messages.A simulated phishing message may mimic a real phishing message andappear genuine to entice a user to respond/interact with the simulatedphishing message. The simulated phishing message may include links,attachments, macros, or any other simulated phishing threat thatresembles a real phishing threat. In response to a user interaction withthe simulated phishing message, for example, if the user clicks on alink (i.e., a simulated phishing link), the user may be provided withsecurity awareness training. If and how the user interacts with thesimulated phishing message may be logged and may impact a risk score ofthe user, a risk score of a team of which the user is part of, a riskscore of the user's organization, and/or a risk score of an industry towhich the user's organization belongs.

In some implementations, security awareness system 202 may be owned ormanaged or otherwise associated with an organization or any entityauthorized thereof. In an implementation, security awareness system 202may be managed by a system administrator. The system administrator mayoversee and manage security awareness system 202 to ensure cybersecuritygoals of the organization are met. For example, the system administratormay oversee Information Technology (IT) systems of the organization formanaging simulated phishing campaigns and any other element withinsecurity awareness system 202. In an example, security awareness system202 may be a Computer Based Security Awareness Training (CBSAT) systemthat performs security services such as performing simulated phishingcampaigns on a user or a set of users of an organization as a part ofsecurity awareness training.

Referring again to FIG. 2 , in some embodiments, user device 204 may beany device used by the user. User device 204 as disclosed, may be anycomputing device, such as a desktop computer, a laptop, a tabletcomputer, a mobile device, a Personal Digital Assistant (PDA) or anyother computing device. In an implementation, user device 204 may be adevice, such as client device 102 shown in FIG. 1A and FIG. 1B. Userdevice 204 may be implemented by a device, such as computing device 100shown in FIG. 1C and FIG. 1D.

Further, email server 206 may be any server capable of handling anddelivering emails over network 210 using one or more standard emailprotocols, such as Post Office Protocol 3 (POP3), Internet MessageAccess Protocol (IMAP), Simple Message Transfer Protocol (SMTP), andMultipurpose Internet Mail Extension (MIME) Protocol. Email server 206may be a standalone server or a part of an organization server. Emailserver 206 may be implemented using, for example, Microsoft® ExchangeServer, or HCL Domino®. In an implementation, email server 206 may beserver 106 shown in FIG. 1A. Email server 206 may be implemented by adevice, such as computing device 100 shown in FIGS. 1C and 1D. In someembodiments, email server 206 may be implemented as a part of a servercluster. In some embodiments, email server 206 may be implemented acrossa plurality of servers, thereby, tasks performed by email server 206 maybe performed by the plurality of servers. These tasks may be allocatedamong the server cluster by an application, a service, a daemon, aroutine, or other executable logic for task allocation.

According to some embodiments, one or more breach databases 208 _(1-N)may be dynamic databases that include public databases and/or privatedatabases. One or more breach databases 208 _(1-N) may includeinformation related to user login credentials of websites which havebeen breached. Examples of user login credentials may include ausername, an email address and/or a password. A username is a uniquecombination of characters, such as letters of the alphabet and/ornumbers and/or non-alphanumeric symbols, that identify a specific user.The user may gain access to a website using the user login credentials.In an example implementation, security awareness system 202 maydetermine whether user login credentials including a username and/or anemail address is/are associated with a data breach if the usernameand/or the email address is found in one or more breach databases 208_(1-N). In some embodiments, information related to the user logincredentials of the users stored in one or more breach databases 208_(1-N) may be periodically or dynamically updated as required.

According to some embodiments, security awareness system 202 may includeprocessor 212 and memory 214. For example, processor 212 and memory 214of security awareness system 202 may be CPU 121 and main memory 122,respectively, as shown in FIGS. 1C and 1D. According to an embodiment,security awareness system 202 may include verification unit 216,exposure check unit 218, security audit unit 220, risk score calculator222, remediation unit 224, and detection unit 226. In an implementation,verification unit 216, exposure check unit 218, security audit unit 220,risk score calculator 222, remediation unit 224, and detection unit 226may be coupled to processor 212 and memory 214. In some embodiments,verification unit 216, exposure check unit 218, security audit unit 220,risk score calculator 222, remediation unit 224, and detection unit 226amongst other units, may include routines, programs, objects,components, data structures, etc., which may perform particular tasks orimplement particular abstract data types. Verification unit 216,exposure check unit 218, security audit unit 220, risk score calculator222, remediation unit 224, and detection unit 226 may also beimplemented as, signal processor(s), state machine(s), logiccircuitries, and/or any other device or component that manipulatesignals based on operational instructions.

In some embodiments, verification unit 216, exposure check unit 218,security audit unit 220, risk score calculator 222, remediation unit224, and detection unit 226 may be implemented in hardware, instructionsexecuted by a processing unit, or by a combination thereof. Theprocessing unit may comprise a computer, a processor, a state machine, alogic array, or any other suitable devices capable of processinginstructions. The processing unit may be a general-purpose processorthat executes instructions to cause the general-purpose processor toperform the required tasks or, the processing unit may be dedicated toperforming the required functions. In some embodiments, verificationunit 216, exposure check unit 218, security audit unit 220, risk scorecalculator 222, remediation unit 224, and detection unit 226 may bemachine-readable instructions which, when executed by aprocessor/processing unit, perform any of the desired functionalities.The machine-readable instructions may be stored on an electronic memorydevice, hard disk, optical disk, or other machine-readable storagemedium or non-transitory medium. In an implementation, themachine-readable instructions may also be downloaded to the storagemedium via a network connection. In an example, the machine-readableinstructions may be stored in memory 214.

In some embodiments, security awareness system 202 may include passwordstorage 228, user personal information storage 230, risk score storage232, and website information storage 234. In an implementation, passwordstorage 228 may include information about organization passwords of theusers. User personal information storage 230 may store informationrelated to personal accounts of the users. In an example, informationrelated to personal accounts of the users may include personal emailaddresses, usernames, passwords, and/or other information from theusers' personal domain. According to an implementation, the users mayvoluntarily provide the information related to their personal accounts.In an example, user personal information storage 230 may also storeinformation about past or previous organizations of the user, such asprevious organization email addresses. Further, risk score storage 232may include security awareness profiles of the users and risk scores ofthe users (in some examples, the security awareness profile of the usermay include of a risk score of the user). In an example, a securityawareness profile of a user may include information about the securityawareness of the user and other information which is relevant forassessing the security awareness of the user. A risk score of a user mayinclude a representation of the susceptibility of the user to amalicious attack. Also, the risk score for a user may quantify acybersecurity risk that the user poses to an organization. The riskscore may also quantify the level of risk for a group of users, theorganization, an industry to which the organization belongs, ageography, and any other categorization. In an example, the risk scoreof the user may be modified based on the user's responses to simulatedphishing messages, assessed user behavior, breached user information,completion of training by the user, a current position of the user inthe organization, a size of a network of the user, an amount of time theuser has held the current position in the organization, and/or any otherattribute that can be associated with the user. In an implementation, ahigher risk score of the user indicates that a higher security risk isassociated with the user and a lower risk score indicates a lowersecurity risk and better security awareness.

According to an implementation, website information storage 234 maystore information related to personal domain websites. In an example,website information storage 234 may store information about login pagesfor known or popular personal domain websites, email addressesassociated with messages sent by those websites, or examples ofregistration email validation messages and promotional messages used bypersonal domain websites. In an example, a registration email validationmessage is a message that is sent by a website (for example, a personaldomain website) to an email address that a user input when registeringwith the website. The registration email validation message may includea link for the user to click to validate that he or she is the owner ofthe email address and may include keywords such as “verify your emailaddress,” “confirm your email,” and “activate your account.” Further, inan example, a promotional message may be an email message such as aweekly newsletter, a sale promotion email, and other promotionalmessages that a business distributes to promote their products,services, offers, campaigns, etc. In an example, the promotionalmessages from various personal domain websites may have specificcharacteristics in common. In an example, the promotional messages mayinclude an unsubscribe link (for example, “Click here to unsubscribefrom these emails”), discount details (for example, “up to 40% off”) andother such characteristics. Further, promotional messages may includekeywords such as “discount,” “unsubscribe,” “sale,” “offer,” and“hurry.”

Information about organization passwords of the users stored in passwordstorage 228, personal information related to the users stored in userpersonal information storage 230, security awareness profiles of theusers and risk scores of the users stored in risk score storage 232, andinformation about personal websites stored in website informationstorage 234 may be periodically or dynamically updated as required.

Referring again to FIG. 2 , in some embodiments, user device 204 may beany device used by a user. The user may be an employee of anorganization or any entity. According to some embodiments, user device204 may include processor 236 and memory 238. In an example, processor236 and memory 238 of user device 204 may be CPU 121 and main memory122, respectively, as shown in FIGS. 1C and 1D. User device 204 may alsoinclude user interface 240 such as a keyboard, a mouse, a touch screen,a haptic sensor, voice-based input unit, or any other appropriate userinterface. It shall be appreciated that such components of user device204 may correspond to similar components of computing device 100 inFIGS. 1C and 1D, such as keyboard 126, pointing device 127, I/O devices130 a-n and display devices 124 a-n. User device 204 may also includedisplay 242, such as a screen, a monitor connected to the device in anymanner, or any other appropriate display. In an implementation, userdevice 204 may display received content (for example, emails) for theuser using display 242 and is able to accept user interaction via userinterface 240 responsive to the displayed content.

In some embodiments, user device 204 may include email client 244. Inone example implementation, email client 244 may be an applicationinstalled on user device 204. In another example implementation, emailclient 244 may be an application that can be accessed over network 210through a browser without requiring to be installed on user device 204.In an implementation, email client 244 may be any application capable ofcomposing, sending, receiving, and reading email messages. For example,email client 244 may be an instance of an application, such as MicrosoftOutlook™ application, HCL Notes application, IBM® Lotus Notes®application, Apple® Mail application, Gmail° application, or any otherknown or custom email application. In an example, a user of user device204 may be mandated to download and install email client 244 by theorganization. In another example, email client 244 may be provided bythe organization as default. In some examples, a user of user device 204may select, purchase and/or download email client 244, through forexample, an application distribution platform. The term “application” asused herein may refer to one or more applications, services, routines,or other executable logic or instructions.

According to one or more embodiments, a user of the organization may beaware that his or her actions outside the organization may affect thesecurity of the organization. In some instances, the user may be willingto improve his or her security awareness behavior. In an implementation,the user, or another person, for example, the users' manager in theorganization, may place a request to security awareness system 202 forregistration of the user's personal information. In examples, a user, auser's manager, a system administrator or a security awareness systemmay initiate a request from security awareness system 202 to the user'sdevice 204 causing the user's device 204 to display a request to theuser, wherein the request to the user requests that the user registerpersonal information with the security awareness system or the requestto the user requests that the user sends personal information to thesecurity awareness system. In one example, the user may initiate therequest by opting in for personal information registration. In animplementation, security awareness system 202 may receive a request forregistration of the personal information of the user, for example from auser's manager or a system administrator or other company official. Insome implementations, security awareness system 202 may initiate therequest for registration of the personal information of the user onbehalf of the user. In some implementations, security awareness system202 may prompt or provide an option to the user to register theirpersonal information. According to an example, a user may providepersonal information to security awareness system 202 voluntarily or inresponse to a prompt. Security awareness system 202 may receive thepersonal information of the user, for example, one or more of a personalemail address, a username, and a personal password or a passwordassociated with a personal domain. In examples, “registration” ofpersonal information of the user at the security awareness system 202 isconsidered performed merely by the security awareness system 202receiving personal information of the user.

In order to verify that the personal information provided by the user orfor the user belongs to the user, security awareness system 202 mayinitiate verification of the personal information through verificationunit 216. In a scenario where the user's personal information includesan email address, verification unit 216 may verify that the personalemail address is within the personal domain of the user. According to animplementation, verification unit 216 may send a confirmation email tothe personal email address provided by the user or for the user toverify whether the personal email address is controlled by the user. Forexample, a confirmation email may include a one-time code for the userto input into security awareness system 202 confirming access to thepersonal email address. In examples, the one-time code may be valid foronly one login session or transaction or may be valid only for a shortperiod of time. In an example, the one-time code may be valid for aperiod of time, such as 2 minutes. In some examples, the confirmationemail may include a time-sensitive link that has to be followed orclicked within a specified time period (for example, 15 minutes) tocomplete the verification process. In some examples, the user may inputthe one-time code into security awareness system 202 or follow theprovided link within the specified time period to validate the ownershipof, or access to the personal email address. The input of the correctone-time code or following of the supplied link within the specifiedtime period enables verification unit 216 to verify that the personalemail address provided for or by the user and/or the personalinformation provided for or by the user is owned or controlled by theuser. Accordingly, verification unit 216 prevents a user from, forexample, registering with another user's email address. Other methods toconfirm or verify that personal information registered with or sent tosecurity awareness system 202 belongs to the user that are not discussedhere are contemplated herein.

According to some embodiments, verification unit 216 may be configuredto register and store personal information of the user in response toverification that the personal email address provided for or by the useris within the personal domain of the user. In another embodiment,verification unit 216 may register and store personal informationprovided for or by the user without verifying that the personalinformation belongs to the user. Verification unit 216 may be configuredto store personal information of the user in user personal informationstorage 230. In an implementation, for security and privacy reasonsand/or to comply with respective privacy laws of correspondingcountries, verification unit 216 may store personal information of theuser in an encrypted, hashed, or obfuscated form. In some examples,verification unit 216 may store personal information of the user in aplain text or non-encrypted form. In some implementations, verificationunit 216 may establish a link between a security awareness profile ofthe user and personal information of the user.

After personal information of the user is registered and/or receivedand/or stored, verification unit 216 may be configured to notify thesystem administrator that the user has provided or sent personalinformation to security awareness system 202 or has registered personalinformation with security awareness system 202. In some implementations,verification unit 216 may provide levels of visibility of personalinformation of a user to the system administrator. In an example,personal information of one or more users may be fully visible to thesystem administrator. In some examples, personal information of the oneor more users may be partially obscured. For example, an email address“user08@gmail.com” may be displayed to the system administrator asu*****@*****.com or another combination of obfuscated and actualcharacters. In some examples, the information may be unavailable to thesystem administrator. In some scenarios, the system administrator may begiven an indication confirming that the user has registered his or herpersonal information with security awareness system 202. Further, insome examples, the personal information may be unavailable to the systemadministrator, and the system administrator is not notified when thepersonal information is provided by the user. In some embodiments,access to passwords entered into security awareness system 202 may berestricted to non-humans, such as Artificial Intelligence (AI),operating logic, and other processing systems.

According to some embodiments, security awareness system 202 may performan exposure check and/or a security audit on the personal information ofthe user. In an implementation, exposure check unit 218 is configured toperform the exposure check of the personal information of the user bysearching for user's personal information or credentials in one or morebreach databases 208 _(1-N). For example, exposure check unit 218 maycheck if one or more usernames and/or email addresses registered by theuser is found in the one or more breach databases 208 _(1-N) therebyindicating that the one or more usernames and/or email addresses havebeen exposed in a security breach. In an implementation, exposure checkunit 218 may use at least one of an email address or a username in thepersonal information to search for breached user information in one ormore breach databases 208 _(1-N). In an example, exposure check unit 218may separate the email address account name (user) from its domain name(@company.com) and perform an exposure check on the account name. Forexample, if the email address provided by the user is“user08@gmail.com,” then exposure check unit 218 may separate “user08”from “user08@gmail.com” and perform an exposure check using the accountname “user08”.

In implementations where the user has provided one or more passwordsduring registration, exposure check unit 218 may check whether thosepasswords are associated with any known data breach. In an example,exposure check unit 218 may determine that a password is associated witha known data breach if the password is detected in one or more breachdatabases 208 _(1-N). In some examples, exposure check unit 218 mayquery one or more breach database 208 _(1-N) to determine if the one ormore passwords provided by the user have been compromised in a databreach. In some examples, exposure check unit 218 may provide thepasswords in a query to one or more breach database 208 _(1-N).

In some embodiments, security audit unit 220 may be configured toperform a security audit of the personal information of the user. In animplementation, security audit unit 220 may perform the security auditby assessing a strength of the one or more stored personal passwordsfrom the personal information and evaluating whether the passwords usedfor personal information comply with policies that the organization hasfor password strength. In some examples, security audit unit 220 mayassess the personal passwords to determine if there is password reusageor password sharing. In an example, password reuse refers to a same userusing the same password to log in to more than one account and passwordsharing refers to a scenario where a password of a user of anorganization is identified as identical to or similar to a password ofanother user of the organization. In an embodiment, security audit unit220 may assess the strength of the one or more personal passwords basedon some standards, such as National Institute of Standards andTechnology (NIST) standards provided below.

-   a) A minimum of eight characters and a maximum length of at least 64    characters.-   b) The ability to use all special characters but no special    requirement to use them.-   c) Restrict sequential and repetitive characters (e.g., 12365 or    aaaaaa).-   d) Restrict context specific passwords (e.g., the name of the site,    etc.).-   e) Restrict commonly used passwords (e.g., p@ssw0rd, etc.) and    dictionary words.-   f) Restrict passwords that match those obtained from previous    breaches.

In an implementation, security audit unit 220 may compare the one ormore registered personal passwords and identify reused passwords orderived passwords. In an example, “R@31F”, “password1”, “Welcome!”,“password2” and “PaSsWoRd” may be poor personal passwords provided bythe user. A reused password may be a password that has been usedpreviously or a password having similarity to a certain degree to apassword that has been used previously. In an implementation, securityaudit unit 220 may identify “password1”, “password2”, and “PaSsWoRd” asreused when compared to the password “password”. Security audit unit 220may use one or more tools to create permutations of one or morepasswords to use as search terms. An example of one such tool is the“Bad Password Generator” tool, available via the website of bad.pw andcreated by Harold Zang, referred to as SpZ (at spz.io).

In some embodiments, security audit unit 220 may perform a search forthe registered personal passwords within password storage 228 toidentify incidents of password sharing. In an example, security auditunit 220 may compare the personal passwords with other passwords withinpassword storage 228. In an implementation, security audit unit 220 maysearch within the organization's Active Directory, or other corporatedatabases, for a match to passwords that the user is using within theorganization. In an implementation, one or more breach databases 208_(1-N) and password storage 228 may be continually or periodicallymonitored for similarity or match to the user's personal information. Inan embodiment, the results of the exposure check and/or the results ofthe security audit may be provided to the system administrator.

According to an embodiment, security audit unit 220 may provide the userwith a report on threats, breaches, and poor password hygiene associatedwith a personal domain as an incentive for registering his or herpersonal information with the organization, thus enabling the user totake appropriate actions to protect their personal information. In anexample, security audit unit 220 may generate the report based oninformation determined by exposure check unit 218 and/or security auditunit 220 and in a further example, security audit unit 220 may generatethe report based on searching breach data sites, such as“https://haveibeenpwned.com/” and “https://spycloud.com/” and dark websources. In an implementation, security audit unit 220 may apply some orall of the security audit process to create a report for the user. In anexample, the report may enable the user to gain a greater understandingof the risks that activities in the personal domain create for his orher personal information. Further, the user may be motivated to sharefurther personal information with the organization so that the user canbe informed about the risks associated with activities in the personaldomain.

In an implementation, risk score calculator 222 may be configured tocalculate one or more risk scores for the user. According to anembodiment, a non-exhaustive list of examples of individual risk scoresinclude a personal risk score and an organization risk score. Otherexamples of the individual risk scores that are not discussed here arecontemplated herein. In an example, an organization risk score for auser is a component of the risk score which is attributed to data heldwithin the organization as a part of the ongoing employment of the user,and a personal risk score for the user is a component of the risk scorewhich is attributed to the user's personal information andhabits/behaviors within the personal domain. In an example, the personalrisk score may also reflect a willingness of the user to provide thepersonal information to the organization that the user is not obliged toprovide. In an example, more or fewer individual risk scores may beenabled by security awareness system 202. In examples where more thanone risk score is contemplated, risk score calculator 222 may calculateeach risk score individually or in another example, risk scorecalculator 222 may calculate a single, overall risk score for the usertaking into account contributions from each area of risk. In someembodiments, risk score calculator 222 may be configured to calculate oradjust a personal risk score of the user according to an analysis of theuser's personal information. In an example, when the user registers hisor her personal information with security awareness system 202, riskscore calculator 222 may set the personal risk score of the user at alevel that indicates an action of opting-in. According to an embodiment,the amount of personal information that the user provides may affect thepersonal risk score of the user. For example, if the user provides twoemail addresses, then the personal risk score for the user may be setlower than if the user had provided a single email address. Further, inan example, if the user provides password information associated withthe email address then the personal risk score may be set lower than ifthe user had provided only the email address. Many such combinations arecontemplated herein to set or modify the personal risk score.

In an implementation, there may be multiple levels of access to theuser's personal risk score. In an example, both the personal risk scoreof the user and the organization risk score of the user's organizationmay be visible to the system administrator. In some examples, theorganization risk score of the user's organization may be visible to thesystem administrator as a risk score separate from the personal riskscore of the user. In some examples, the personal risk score of the usermay not be visible to the system administrator. In some embodiments,security awareness system 202 may provide a notification to the systemadministrator that the personal risk score of the user is managed bysecurity awareness system 202 but is not configured to be visible to thesystem administrator.

In an implementation, risk score calculator 222 may calculate a personalrisk score for the user based on various factors such as whether theuser has low or negligible personal information exposure, whether theuser has moderate personal information exposure, and whether the userhas high personal information exposure. In an example, these factors maybe placed on an importance/weight scale, for example, from 1 to 10. Inan implementation, risk score calculator 222 may assign an exampleweight range “0-3” to the factor “the user has negligible personalinformation exposure”, an example weight range “4-7” to the factor “theuser has moderate personal information exposure”, and an example weightrange “8-10” to the factor “the user has high personal informationexposure”.

According to an embodiment, the calculated value of the personal riskscore (for example, 0 to 10) may be based on a threshold of a number ofinstances that the user's personal information was found in a breach,the strength of the passwords provided by the user, whether the breachwas found in one or more breach databases 208 _(1-N), whether thedatabase containing the breach was a database solely enabled by securityawareness system 202 or a public database, or whether the informationwas found through the exposure check or the security audit. In animplementation, risk score calculator 222 may adjust the personal riskscore of the user based at least on a result of the exposure checkand/or the security audit.

Further, the personal risk score for the user may be updated based on aweighted risk score for each instance of breach associate with theuser's personal information. In some examples, each instance of abreached username of user may only be counted once towards the user'spersonal risk score, each instance of a breached password of the usermay be counted 1.5 times towards the user's personal risk score, andeach instance of a username of the user with a password of the user fromthe same breach may be counted 2 times towards the user's personal riskscore. In an example, the personal risk score is incorporated into arisk score of the user that is calculated to determine the propensitythat the user may respond to a malicious attack.

Risk score calculator 222 may also calculate an organization risk scorefor the organization of user. A description of such a system may befound in U.S. Pat. No. 10,673,876. In an example, risk score calculator222 may calculate an organization risk score for the organization ofuser based on whether the user has interacted with malicious attacks inthe past, whether the user received a high number of malicious attacks,and/or/ whether a job title of the user gives him or her expanded accessto an organization network, any of which may pose a risk to theorganization of the user. Examples of calculation of other types of riskscores that are not discussed here are contemplated herein and may becarried out by risk score calculator 222.

According to an embodiment, risk score calculator 222 may combine apersonal risk score of a user with an organization risk score of theuser's organization to generate a risk score. In an implementation, riskscore calculator 222 may combine a personal risk score of a user with anorganization risk score of the user's organization using an algorithm oralgorithms. In an example, an example of such an algorithm may be aweighting algorithm which may be adjusted depending on the severity ofthe breach associated with the user, the kind of breach associated withthe user, or any other metric measured by security awareness system 202.In an example, a personal risk score of the user and the organizationrisk score of the user's organization may be stored in risk scorestorage 232. In an implementation, security awareness system 202 maysend a notification to a system administrator about a personal riskscore of the and the organization risk score of the user's organizationbeing combined.

In some embodiments, a personal risk score of a user, organization riskscore of the user's organization, or any other risk score contemplatedmay be used separately by security awareness system 202. In someexamples, risk score calculator 222 is further configured to determinean risk score of the user based at least on the personal risk score ofthe user.

In an example, one or more risk scores in addition to a personal riskscore of a user and organization risk score of a user's organization maybe contemplated. In this case, these one or more additional risk scoresmay be combined with each other, with the personal risk score of theuser and/or with organization risk score of the user's organization, forexample according to an algorithm performed by risk score calculator222.

According to some embodiments, remediation unit 224 may be configured toperform remedial training directed to a user based on at least apersonal risk score of the user. For example, remediation unit 224 maybe configured to perform remedial training if a user's personal riskscore exceeds a set level or if the user's personal risk scoreincreases. In an example, remediation unit 224 may perform remedialtraining by tailoring training content to educate the user. In examples,remediation unit 224 may provide training to the user via a landing pagehosted by security awareness system 202. In an example, the landing pagemay be a web page that enables provisioning of training materials to theuser. For example, the landing page may provide to the user trainingrelated to choosing strong passwords and avoiding password reuse andpassword sharing.

In some embodiments, remediation unit 224 may prompt a user to changeone or more passwords. In an implementation, remediation unit 224 mayprompt a user to acknowledge a username, password and/or email addressassociated with the user that has been included in a breach. In animplementation, remediation unit 224 may require the user to rendersecure one or more of his or her organizational and/or personal accountsby changing one or more passwords. Further, remediation unit 224 mayrequest the user to confirm that the user has secured one or moreaccounts. In an implementation, remediation unit 224 may provide arecommendation to the user to improve one or more of their personalpasswords. Further, in an implementation, remediation unit 224 mayrecommend and facilitate remedial training to a user via an interactionwith the user. In an example, remediation unit 224 may communicateand/or interact with the user using a pop-up message. A pop-up messagemay be understood to refer to the appearance of graphical or textualcontent displayed to a user. In examples, a message prompting a user tochange one or more passwords of the user may be presented on a displayas part of, or within, a “window” or a user interface element or adialogue box. Other known examples and implementations of pop-upmessages are contemplated herein as part of this disclosure.

In an implementation, remediation unit 224 may send one or morecommunications to a user to determine whether the user has completedtraining, changed one or more passwords (for example, one or morepersonal passwords of the user, which in examples cannot be viewed bysecurity awareness system 202), or whether the user has completed anyother form of remediation. In an example, on receiving the one or morecommunications, in examples the user may update personal information ofthe user with security awareness system 202. In examples, feedback tothe user on one or more of security issues, security recommendations,and security remediations may be provided so as to protect the securityand privacy of the user and to ensure that it is not possible to inferinformation about other users in the organization based on informationof the user. In an example, if a personal password of a user of anorganization is identified as similar to the personal password ofanother user of the organization, the personal password or similarpersonal passwords may be flagged to the users as a compromisedpassword. In examples the users may be required to change the same orsimilar personal passwords. In an embodiment, indications,recommendations, or requirements made by remediation unit 224 to a userregarding reuse or security of the user's personal information aredetermined in a manner that ensures that the privacy of users of thesecurity awareness system 202 is maintained.

According to an implementation, risk score calculator 222 may adjust arisk score for a user based on one or more actions that the user takesafter remediation. I examples, if a user is prompted to change one ormore of his or her organization passwords or personal password, riskscore calculator 222 may adjust the risk score of the user based on theuser's actions in response to the prompt. In an example, risk scorecalculator 222 may adjust a risk score of the user according to thetimeframe in which the user performed an action in response to a prompt.In an implementation, risk score calculator 222 may determine whether auser changed one or more organizational password based on an interactionof the user with the organization's password system, for example, anActive Directory.

In an example, a user may register for a personal domain website usinghis or her organization login credentials, such as the user'sorganization email address and/or the user's password. In animplementation, detection unit 226 may detect whether the user hasregistered for the personal domain website using his or her organizationlogin credentials as previously described. In an implementation,detection unit 226 may continuously or periodically monitor a mailbox ofthe user for certain types of email messages, such as registration emailvalidation messages and promotional messages that are typically sentfrom personal domain websites.

According to an implementation, security awareness system 202 anddetection unit 226 may use, and/or build and and/or maintain a databaseof email addresses, registration email validation messages and/orpromotional messages that are known to be used by examples of personaldomain websites to communicate with registered users of the personaldomain website. In an implementation, such a database may be websiteinformation storage 234. In an implementation, detection unit 226 maymonitor a mailbox of a user for messages from email addresses withinwebsite information storage 234. If any such email in the mailbox of theuser is found within website information storage 234, detection unit 226may determine that the user has registered for a personal domain websiteusing the user's organization email address. In an example, detectionunit 226 may maintain a list of email addresses used by personal domainwebsites, such as “amazon.com” and “twitter.com”. For example, an emailaddress associated with the personal domain website “amazon.com” may be“store-news@amazon.com” and an email address associated with thepersonal domain website “twitter.com” may be “info@twitter.com.” Inexamples, if an email from the email address “info@twitter.com” is foundin a mailbox of a user, detection unit 226 may determine that the userhas registered for the personal domain website “twitter.com” using theuser's organization email address.

According to an implementation, detection unit 226 may use a database ofexamples of registration email validation messages and promotionalmessages used by personal domain websites to communicate with registeredusers and may further build a query or queries with the aim of detectingthe same or similar messages within mailbox of user. In animplementation, detection unit 226 may determine key content segmentswhich are typical of examples of registration email validation messagesand promotional messages used by personal domain websites to communicatewith registered users and may combine key content segments together inone or more queries. Detection unit 226 may assign a search score forone or more emails in a user's mailbox based on one or more queries anddetermine from the search score the likelihood of an email being eithera registration email validation message or a promotional message. In anexample, if three key content segments are found in an email, then asearch score for the message may be 3. In some examples, if nine keycontent segments are found in an email, then a search score for theemail may be 9. In an implementation, detection unit 226 may generate asearch score for each of the one or more emails found in the user'smailbox. In a further example, a threshold score of the search score foran email for the email to be classified as a registration emailvalidation message may be different from a threshold score of the searchscore for an email for the email to be classified as a promotionalmessages. For example, a threshold score for the search score of anemail for the email to be classified as a registration email validationmessage may be 4 and the threshold score for the search score of anemail for the email to be classified as a promotional message may be 8.Accordingly, if an email found in a mailbox of the user has a searchscore of 5, detection unit 226 may determine that the email is aregistration email validation message. Further, if an email found in amailbox of the user has a search score of 9, then detection unit 226 maydetermine that the email is a promotional message.

According to some embodiments, security awareness system 202 anddetection unit 226 may use, build and/or maintain a list of login pagesfor known or popular personal domain websites, such as food deliveryservice websites (for example, such as Door Dash® and Uber Eats®),travel websites (for example, Hotels.com® and Airbnb™), shoppingwebsites (for example, amazon.com and walmart.com), and other suchwebsites. In an example implementation, detection unit 216 may store thelist of login pages for known or popular personal domain websites inwebsite information storage 234. Periodically or in response to an eventsuch as the detection of a suspicious email message in a user's mailbox,detection unit 226 may attempt to login to each of the personal domainwebsites' login pages using the organization login credentials of theuser. If a login attempt with the user's organization login credentialsis successful for a personal domain website, detection unit 226 maydetermine that the user has registered for the personal domain websiteusing his or her organization login credentials.

In some embodiments, detection unit 226, using a list of login pages forpersonal domain websites stored in website information storage 234, mayaccess a reset password link of one or more accounts of personal domainwebsites which in examples presents an interface to enter the emailaddress associated with the forgotten password. Detection unit 226 mayprovide the user's organization email address as the email address forthe account and if an email is sent to the user's organization emailaddress with a password reset link, then detection unit 226 maydetermine that the user has registered for the personal domain websiteusing the user's organization login credentials. In an implementation,for example to avoid bulk traffic to a single website, detection unit226 may use this approach for randomized or periodic checks of one ormore users, rather than checking all the users in the organization atthe same time. In examples, detection unit 226 may use a plurality of IPaddresses to access a reset password link of one or more accounts ofpersonal domain websites to avoid appearing as a DoS attack.

In an implementation, upon detecting emails or messages such as emailvalidation messages, promotional messages, or other messages receivedfrom the personal domain website in a mailbox of a user, securityawareness system 202 may delete the detected emails. In examplessecurity awareness system 202 may prompt or require a user to change hisor her organization password or personal passwords. In further examplessecurity awareness system 202 may deliver remedial training to the user.In some implementations, if security awareness system 202 determinesthat a user has employed organization login credentials in registeringfor a personal domain website, detection unit 226 may interact withemail server 206 and trigger email server 206 to disable the user'sorganization password and require the user to create a new organizationlogin credentials, for example a new organization password, for example,before the user is able to access various servers and services of theorganization.

According to an embodiment, security awareness system 202 may implementmonitoring processes in a manner that respects the privacy laws of acountry in which the organization of the user and/or the user islocated. In an example, security awareness system 202 may obfuscate auser's personal information from a system administrator, and the usermay have the option to manage the amount of personal information that isto be made visible to the system administrator. In examples, if a user'spersonal or work email account is deactivated or archived, or the userde-registers some or all of their personal information from securityawareness system 202, then security awareness system 202 may remove theuser's personal information for example as a best practice and/or tocomply with various privacy regulations such as General Data ProtectionRegulation (GDPR).

In one or more embodiments, a user may choose to de-register his or herpersonal information from security awareness system 202 at any time. Insuch a scenario, all personal information and other relevant recordspertaining to the user may be removed or deleted from security awarenesssystem 202. In an example, a personal risk score of the user may beremoved from risk score storage 232, however the effect that thepersonal risk score of the user contributed to the risk score of theuser may persist despite the user de-registering their personalinformation. In some examples, some or all of the component of riskscore of the user contributed by the personal risk score of the user fis reversed, if the user de-register his or her personal informationfrom security awareness system 202.

FIG. 3 depicts flowchart 300 for detecting that the user has registeredfor a personal domain website using an organization email address,according to some embodiments.

Step 302 includes generating a query using key content segmentsdetermined based on at least one of known registration email validationmessages and known promotional messages from personal domain websites.In an example, registration email validation messages and promotionalmessages from various personal domain websites may include certain keycontent segments in common which may be combined and reused to generatea query. In an implementation, key content segments used to buildqueries in the past may be altered to increase the probability ofdetecting one or more registration email validation messages and/orpromotional message.

In an implementation, detection unit 226 may generate a query of keycontent segments that appear in the known registration email validationmessages and promotional messages from personal domain websites. In anexample, detection unit 226 may alter key content segments used to buildqueries in the past to increase the probability of detecting one or moreregistration email validation messages and/or promotional messages basedon characteristics of known or sample registration email validationmessages and/or promotional messages. In an implementation, detectionunit 216 may apply an AI model to generate the query.

Step 304 includes monitoring, by detection unit 226 using a generatedquery, a mailbox of a user to detect one or more emails which includekey content segments. In an implementation, detection unit 226 may beconfigured to monitor one or more or all folders of the mailbox of theuser, including for example an inbox folder, a junk email folder, adeleted items folder, and one or more spam email folders. In animplementation, detection unit 226 may be configured to train an AImodel to detect one or more emails which include key content segments,for example using sample or known registration email validation messagesand/or promotional messages, the AI model to be used for the purpose ofrecognizing registration email validation messages and/or promotional ina user's mailbox.

Step 306 includes generating, for example by detection unit 226, asearch score for one or more emails in the user's mailbox. In examples,the search score is based on key content segments found in the one ormore emails. In an implementation, detection unit 226 may generate asearch score for all emails found in the user's mailbox. In examples,detection unit 226 may generate a search score for one or more emailsfound in the user's mailbox that include a minimum number of key contentsegments.

Step 308 includes determining an email from the mailbox of the user tobe one of a registration email validation message or a promotionalmessage based. In examples, detection unit 226 determines one or moreemails from the mailbox of the user to be one of a registration emailvalidation message or a promotional message based on the search scoresof the one or more emails exceeding a threshold score. In animplementation, detection unit 226 may determine an email from the oneor more folders of the mailbox of the user to be one of a registrationemail validation message or a promotional message based on the searchscore of the emails exceeding a threshold score. In examples, detectionunit 226 may determine that an email from the one or more folders of themailbox of the user is a registration email validation message based onthe search score of the email being less than, equal to, or greater thana first threshold score, and detection unit 226 may determine that anemail from the one of more folders of the mailbox of the user is apromotional message based on the search score of the email being lessthan, equal to, or greater than a second threshold.

Step 310 includes performing one or more actions based on determiningthat the email is one of a registration email validation message or apromotional message. In examples, the one or more actions may beperformed by remediation unit 224. In examples, the one or more actionsperformed by remediation unit 224 based on determining that the email isone of a registration email validation message or a promotional message.include one or more of deleting the email from the user's mailbox,prompting the user to change an organization password, and providingtraining to the user on personal domain use of organization logincredentials. In an implementation, if detection unit 226 determines thatthe email is one of a registration email validation message or apromotional message, remediation unit 224 may perform one or moreactions separately or in combination. In examples, wherein remediationunit 224 performs more than one action, the more than one actionsperformed by remediation unit 224 are performed at different times, forexample separated by a minimum time period.

In an implementation, if determination unit 226 determines that an emailfrom the one or more folders of the mailbox of the user is aregistration email validation message or a promotion message, securityawareness system 202 may remove the registration email validationmessage or the promotional message from the user's mailbox such that theuser may not validate the personal domain registration throughinteracting with the registration email validation message, or such thatthe user may not interact with the promotional message. In animplementation, responsive to determination unit 226 determining that anemail message from the one or more folders of the mailbox of the user isa registration email validation message or a promotional message,security awareness system 202 may prompt or require the user to changetheir organization password. In some implementations, detection unit 226may interact with email server 206 and trigger email server 206 todisable the user's organization password and require the user to createa new organization password. In implementations, remediation unit 224may provide training to the user.

FIG. 4 depicts flowchart 400 for using personal information fordetermining a personal risk score of the user of the organization,according to some embodiments.

Step 402 includes receiving registration of personal information of auser of an organization. In an implementation, security awareness system202 may send a request to the user asking the user to provide his or herpersonal information. In some embodiments, the user may be asked tovoluntarily provide his or her personal information and the user maychoose to provide his or her personal information or may choose not toprovide his or her personal information. In some embodiments, the usermay be required to provide some personal information in order for theuser to gain access to one or more services or systems of theorganization. Upon receiving a voluntary request, the user may opt toprovide the personal information to security awareness system 202. Insome embodiments, a user's personal information may include one or morepersonal email addresses of the user. In some embodiments, a user'spersonal information may include one or more personal usernames of theuser. In some embodiments, a user's personal information may include onor more personal passwords of the user.

Step 404 includes performing at least one of an exposure check or asecurity audit of the personal information of the user. In animplementation, exposure check unit 218 may be configured to perform anexposure check on some or all of the personal information of the userthat was provided by the user. In examples, exposure check unit mayperform an exposure check on some or all of the personal information ofthe user by searching for one or more of a user's personal emailaddress, a user's personal username, or a user's personal password inone or more breach databases 208 _(1-N). In examples, exposure checkunit 218 may be configured to store the results of one or more exposurechecks on the personal information provided by the user in memory, forexample memory 214 or risk score storage 232 or personal informationstorage 230.

In an implementation, security audit unit 220 may be configured toperform a security audit on some or all of the personal information ofthe user that was provided by the user. In examples, security audit unit220 performs a security audit of one or more personal passwords of theuser by assessing a strength of the one or more personal passwords ofthe user. In examples, security audit unit 220 performs a security auditof one or more personal passwords of the user by comparing the one ormore personal passwords of the user to password requirements of theorganization. In examples, security audit unit 220 may be configured tostore the results of one or more security audits on personal informationprovided by the user in memory, for example memory 214 or risk scorestorage 232 or personal information storage 230.

Step 406 includes adjusting a personal risk score of the user based atleast on a result of one or more of an exposure check and/or a securityaudit on personal information provided by the user. In animplementation, risk score calculator 222 may be configured to generatea personal risk score for a user based at least on the result of one ofan exposure check or a security audit on personal information providedby the user. In an implementation, risk score calculator 222 may beconfigured to adjust a previously determined personal risk score of auser based at least on the result of one of the exposure check or thesecurity audit on personal information provided by the user. Accordingto an embodiment, risk score calculator 222 may adjust the personal riskscore of the user based at least on the user voluntarily registeringpersonal information with security awareness system 202. In animplementation, risk score calculator 222 may determine a risk score fora user based at least on the personal risk score of the user.

FIG. 5 depicts flowchart 500 for performing a remedial training or asimulated phishing campaign directed to the user based on a personalrisk score of the user, according to some embodiments.

Step 502 includes receiving personal information of a user of anorganization, for example as described previously in step 402 of FIG. 4. In an implementation, security awareness system 202 may send a requestto the user to provide his or her personal information. Upon receivingthe request or otherwise, the user may opt to provide personalinformation to security awareness system 202. In some examples, thepersonal information provided by the user of the organization includesone or more personal email addresses.

Step 504 includes verifying a user's personal email address is used in apersonal domain of the user. In an implementation, verification unit 216may verify the email address identified by the personal information andused in the personal domain of the user by attempting to login in to thepersonal domain with one or more of the personal email addressesprovided by the user.

Step 506 includes storing the personal information of the user inresponse verification unit 216 verifying that one or more personal emailaddress of the user has been used in the personal domain of the user. Inan implementation, verification unit 216 may be configured to store thepersonal information of the user in response to the email address usedin the personal domain of the user being verified. In an implementation,verification unit 216 may store the email address used in the personaldomain of the user in user personal information storage 230. In anexample, the email address may be stored in an encrypted or obfuscatedform. In an implementation verification unit 216 may associate the emailaddress used in the personal domain of the user with a securityawareness profile stored in risk score storage 232. In some examples,access to the one or more personal email addresses of the user stored inuser personal information storage 230 may be limited to some services orsystems of the user's organization.

Step 508 includes performing at least one of an exposure check or asecurity audit of the personal information of the user, for example aswas described in step 404 of FIG. 4 . In an implementation, exposurecheck unit 218 may be configured to perform the exposure check bysearching using at least one personal email address or personal usernameof the user provided by the user in the user's personal information inone or more breach databases 208 _(1-N). Further, in an implementation,security audit unit 220 may be configured to perform a security audit byassessing a strength of one or more personal passwords from the user'spersonal information and compliance of the one or more personalpasswords of the user to the password requirements of the organization.

Step 510 includes adjusting a personal risk score of the user based atleast on a result of one of the exposure check or the security audit,for example as described in step 406 of FIG. 4 . In an implementation,risk score calculator 222 may be configured to adjust the personal riskscore of the user based at least on the result of one of the exposurecheck or the security audit. According to an embodiment, risk scorecalculator 222 may adjust the personal risk score of the user based atleast on the user's registration of the personal information withsecurity awareness system 202. Also, in an implementation, risk scorecalculator 222 may determine an overall risk score for the user based atleast on the personal risk score of the user.

Step 512 includes performing one of a remedial training or a simulatedphishing campaign directed to the user based on the personal risk scoreof the user. In an implementation, remediation unit 224 may beconfigured to perform one or more remedial training and securityawareness system 202 may be configured to perform one or more simulatedphishing campaign directed to the user based on a set level, anincrease, or a decrease in the user's personal risk score.

While various embodiments of the methods and systems have beendescribed, these embodiments are illustrative and in no way limit thescope of the described methods or systems. Those having skill in therelevant art can effect changes to form and details of the describedmethods and systems without departing from the broadest scope of thedescribed methods and systems. Thus, the scope of the methods andsystems described herein should not be limited by any of theillustrative embodiments and should be defined in accordance with theaccompanying claims and their equivalents.

What is claimed is:
 1. A method comprising: performing, by one or moreprocessors, at least one of an exposure check against one or more breachdatabases or a security audit of personal information registered by auser of an organization; determining, by the one or more processors, apersonal risk score of the user based at least on a result of one of theexposure check or the security audit, the personal risk scorerepresenting a level of risk that the personal information of the userpresents to the organization; and causing, by the one or more processorsbased at least on the personal risk score of the user, one of acomputer-based remedial training or a simulated phishing campaigndirected to the user.
 2. The method of claim 1, further comprisingreceiving, by the one or more processors, an action of the user toregister the personal information.
 3. The method of claim 1, furthercomprising setting, by the one or more processors, the personal riskscore of the user at the level of risk that indicates an action of theuser opting-in to register the personal information.
 4. The method ofclaim 1, further comprising setting, by the one or more processors ifthe personal information registered by the user provides more than oneemail address, the personal risk score of the user at a lower level thana personal risk score of a second user that provided one email addressin the personal information registered by the second user.
 5. The methodof claim 1, further comprising setting, by the one or more processors ifthe personal information registered by the user provides passwordinformation, the personal risk score of the user at a lower level than apersonal risk score of a second user that does not provide passwordinformation in the personal information registered by the second user.6. The method of claim 1, further comprising causing, by the one or moreprocessors, the computer-based remedial training to display a pop-upmessage to communicate with the user.
 7. The method of claim 1, furthercomprising causing, by the one or more processors, the display of aprompt requiring the user to create a new password with the organizationof the user.
 8. The method of claim 1, wherein the personal risk scoreidentifies a level of risk for a group of users.
 9. The method of claim1, further comprising updating, by the one or more processors, thepersonal risk score to one of increase or decrease the personal riskscore.
 10. The method of claim 1, wherein the personal risk scorecomprises at least a component representing a willingness of the user toregister the personal information to the organization to which the useris not obliged to register the personal information.
 11. A systemcomprising: one or more processors, coupled to memory and configured to:perform at least one of an exposure check against one or more breachdatabases or a security audit of personal information registered by auser of an organization; determine a personal risk score of the userbased at least on a result of one of the exposure check or the securityaudit, the personal risk score representing a level of risk that thepersonal information of the user presents to the organization; andcause, based at least on the personal risk score of the user, one of acomputer-based remedial training or a simulated phishing campaigndirected to the user.
 12. The system of claim 11, wherein the one ormore processors are further configured to receive an action of the userto register the personal information.
 13. The system of claim 11,wherein the one or more processors are further configured to set thepersonal risk score of the user at the level of risk that indicates anaction of the user opting-in to register the personal information. 14.The system of claim 11, wherein the one or more processors are furtherconfigured to set, if the personal information registered by the userprovides more than one email address, the personal risk score of theuser at a lower level than a personal risk score of a second user thatprovided one email address in the personal information registered by thesecond user.
 15. The system of claim 11, wherein the one or moreprocessors are further configured to set, if the personal informationregistered by the user provides password information, the personal riskscore of the user at a lower level than a personal risk score of asecond user that does not provide password information in the personalinformation registered by the second user.
 16. The system of claim 11,wherein the one or more processors are further configured to cause thecomputer-based remedial training to display a pop-up message tocommunicate with the user.
 17. The system of claim 11, wherein the oneor more processors are further configured to cause the display of aprompt requiring the user to create a new password with the organizationof the user.
 18. The system of claim 11, wherein the personal risk scoreidentifies a level of risk for a group of users.
 19. The system of claim11, wherein the one or more processors are further configured to updatethe personal risk score to one of increase or decrease the personal riskscore.
 20. The system of claim 11, wherein the personal risk scorecomprises at least a component representing a willingness of the user toregister the personal information to the organization to which the useris not obliged to register the personal information.